Hacked!

If you ride a motorcycle, you know that it's not "if you fall down," but "when you fall down." As a rider, you can't prevent the inevitable, but you can learn what to do in a crash, and learn what to do to minimize your own injuries.

If you ride a motorcycle, you know that it’s not “if you fall down,” but “when you fall down.” As a rider, you can’t prevent the inevitable, but you can learn what to do in a crash, and learn what to do to minimize your own injuries.

Having a computer connected to the Internet is like riding a motorcycle. Eventually, you’re going to get hacked. So, if you’ve been hacked, or if you think you’ve been hacked, here’s what to do: don’t panic.

Next, you have a simple decision to make, but with not so simple consequences: do you want to gather information for possible prosecution? Or, do you just want to secure your machine and get back to work?

Preparing for prosecution entails quite a bit of time and effort. If you decide to follow this course, see the sidebar “Security Related URLS.” You should also consult competent legal counsel to learn your rights and options.

No matter what course you choose, you’ll eventually have to secure your machine and bring it back to an uncompromised, useful state. The steps to recover from an intrusion are simple, but may require quite a bit of work.

1. Disconnect your system from the network! Disconnecting the machine isolates it from further damage, and prevents it from causing further damage elsewhere.

2. Save a copy of all your configuration files, such as /etc/fstab, /etc/passwd, /etc/inet.conf, sendmail.cf, etc.

3. Backup everything! Backups also preserve any configuration files that you may need later.

4. Now the painful part: reinstall the operating system and all applications from known, uncompromised media. If you have the ability to verify that your applications have not been tampered with, you can recover them from backups.

5. Reconfigure your system. Double-check all of your configurations and security settings. If you can deduce what security shortfall permitted the breach, fix it now.

For maintaining a Web site, lftp is ideal. According to the lftp web site, “LFTP is a sophisticated FTP/HTTP client and file transfer program. Like BASH, it has job control and uses the readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It was designed with reliability in mind.”

lftp has many commands, but for the purpose of updating a website, you’re likely to use a sequence of commands that looks something like this:

5. Reverse mirror (put) the new or changed files (–only-newer), delete any files you have removed from your local version (–delete).

6. Exit when completed.

In step five, use the –delete option carefully! Also note that if you do not use the –reverse option, lftp will get the remote files and overwrite your local copy.

Since your user name and password are in this script, be sure to keep this file safe, and make sure it’s not readable by anyone else by using chmod go-rwx update _website. It would be even better if the password used to update your Web site is different then any other password you use.

lftp has many other options, including secure file transfers. Read the man page to learn more.

John R. S. Mascio is an independant systems and network management consultant. He can be reached at mascio@ryu.com.